github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

azure: msi: add managed identity field, logic

Browse Source 
The azure cloudprovider will now use the Managed Service Identity
to retrieve access tokens for the Azure ARM APIs, rather than
requiring hard-coded, user-specified credentials.
This commit is contained in:
Cole Mickens 2017-01-09 19:53:17 -08:00
parent f818cbeaed
commit 4521c2312c
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
pkg/cloudprovider/providers/azure/azure.go
View File

@ -107,6 +107,9 @@ type Config struct {
// Use instance metadata service where possible
UseInstanceMetadata bool `json:"useInstanceMetadata" yaml:"useInstanceMetadata"`
// Use managed service identity for the virtual machine to access Azure ARM APIs
UseManagedIdentityExtension bool `json:"useManagedIdentityExtension"`
}
// Cloud holds the config and clients
@ -152,13 +155,20 @@ func newServicePrincipalToken(az *Cloud) (*adal.ServicePrincipalToken, error) {
return nil, fmt.Errorf("creating the OAuth config: %v", err)
}
if len(az.AADClientSecret) > 0 {
if az.UseManagedIdentityExtension {
glog.V(2).Infoln("azure: using managed identity extension to retrieve access token")
return adal.NewServicePrincipalTokenFromMSI(
*oauthConfig,
az.Environment.ServiceManagementEndpoint)
} else if len(az.AADClientSecret) > 0 {
glog.V(2).Infoln("azure: using client_id+client_secret to retrieve access token")
return adal.NewServicePrincipalToken(
*oauthConfig,
az.AADClientID,
az.AADClientSecret,
az.Environment.ServiceManagementEndpoint)
} else if len(az.AADClientCertPath) > 0 && len(az.AADClientCertPassword) > 0 {
glog.V(2).Infoln("azure: using jwt client_assertion (client_cert+client_private_key) to retrieve access token")
certData, err := ioutil.ReadFile(az.AADClientCertPath)
if err != nil {
return nil, fmt.Errorf("reading the client certificate from file %s: %v", az.AADClientCertPath, err)
@ -173,9 +183,9 @@ func newServicePrincipalToken(az *Cloud) (*adal.ServicePrincipalToken, error) {
certificate,
privateKey,
az.Environment.ServiceManagementEndpoint)
} else {
return nil, fmt.Errorf("No credentials provided for AAD application %s", az.AADClientID)
}
return nil, fmt.Errorf("No credentials provided for AAD application %s", az.AADClientID)
}
// NewCloud returns a Cloud with initialized clients